Cyber security can be overwhelming and for organizations just starting out the question is — where do you actually begin? What are the first steps that a small organization can take to build a cyber security program?
Curricula’s founder and CEO Nick Santora (CISA, CISSP) sat down with the co-founder and CTO of Blumira, Matt Warner to discuss what it means to start from ‘square one’ in your security program. Blumira is a threat detection and response platform that has specialized technology to help organizations prevent ransomware attacks and data breaches.
Let’s break down some of the topics that Nick and Matt discussed on how to improve your organization’s security posture, for those just starting out or looking to improve their cyber security program’s maturity.
Free or low-cost security tools to get started
One of the biggest road blockers for developing an effective cyber security program is a lack of resources. We’ve heard it over and over, but it’s a hard thing to overcome. However, even if your organization’s budget is tight there’s still a number of tools you can use to begin to build your security maturity.
When scaling out a baseline security program here are five (5) helpful and inventive tools that can jump-start your organization’s cyber security IQ on a budget:
1. Multi-Factor Authentication (2FA)
Arguably, one of the easiest changes that can be made with the greatest outcome would be to implement multi-factor. Most of the mainstream programs you use will have 2FA included for free (or at a low cost). For example, if you use G-Suite for your organization’s email it can be turned on as an add-on for email. Plus there are plenty of free apps like Authy and LastPass Authenticator that are free to download and use.
2. Password Manager
Nick shared “most people have over 30 passwords themselves,” which we know is impossible to memorize if they’re actually strong and unique. But any IT professional knows more times than not it’ll be a reused password or can be found written down on a sticky note somewhere.
The beauty of a password manager is that almost all, especially for personal use, are free. Besides those who need to upgrade for special features, a password manager is a no-brainer. This will benefit your employees in staying secure both in and outside of the office.
3. Security Awareness Training
Since employees are your organization’s first line of defense, security awareness training has one of the highest ROI as it touches every member of your organization. Nick validated “creating some form of an education program to get employees to learn and resonate with why we’re implementing these security tools will help create a synergy between you and your employees.” Making a habit of good cyber hygiene at work will help extend to personal use to help make them substantially more secure for every aspect of their life.
The benefit of security awareness training is that people can take it with them. They can use it in their homelife, which they can share with others and it becomes more of a shared experiencce.
Security awareness training is budget-friendly costing roughly the same amount as a cup of coffee. However, you can also get it for free using Curricula. Curricula Free is a free plan that helps your organization of up to 1,000 employees to get started with a foundation of basic security awareness training, which includes fun training episodes, a phishing simulator, and easy reporting.
4. Practice makes perfect
Tabletop exercises and mock audits are two recommended examples of using practice as a tool. Tabletop exercises are informal discussion-based practice events where you simulate a cyber incident. Similar to a monthly fire drill in school, it’s important to know proper procedures so people don’t freak out if a real incident occurs. For organizations going through compliance, mock audits are a great practice tool to ensure your employees are comfortable speaking to an auditor and double-checking that all your cyber standards are up to code.
Matt broke this down by explaining “Even if it’s something like ‘what would happen if our service went down?’ You’re always going to be able to elicit ideas that you wouldn’t be able to think of when it actually happens to you… and all it takes is your time.” The best part about these tactics is they can be done for free. The only resource that you’ll be using is time, but for something as serious as incident response or preparing for a cyber threat is invaluable and well worth the time.
5. Detecting threats
When starting off it’s good to know what’s going in your environment, especially for organizations working with data of any kind. Threat detection solutions, like Blumira, are low-cost solutions to ensure cyber threats are immediately detected and responded to. If your budget doesn’t allow for it, there are less advanced options that you can opt for.
One of those free solutions is called Canary Tokens. Matt explained, “You can create hundreds of canary tokens ranging from files to API keys to URLs, which allows you to drop these tokens around your environment to quickly allow you to identify if something has happened.” They don’t prevent the threat from occurring once discovered, but they can help discover your vulnerabilities.
Security frameworks 101
There’s no shortage of frameworks in the cyber industry, all of which vary in complexity, but they have a very similar message. Matt breaks down the purpose and goals of what a framework brings to the organization:
Security frameworks help map how they’re approaching IT and security processes to what’s happening in that environment. This will allow the organization to say ‘from the security framework of X I know that I’m compliant to this extent and I know where I am from a maturity perspective.’ The goal is to see where you are and how to continue to move forward.
Frameworks such as HIPAA, SOC 2, and CIS are a great jumping-off point for developing your cyber security program as they provide general instructions for how to reach a base-level security posture. Be sure to set regular KPIs to help you target what needs solving and access as you go.
While frameworks can give clarity to organizations and create a level of standard for everyone to agree with, there are a few things to be aware of.
I've seen the bad side of compliance and what it can do to an organization and its employees. It puts tunnel vision on just meeting compliance rather than actually staying secure. Compliance requirements shouldn't distract organizations from the actual use of these frameworks.
Only following compliance frameworks can be the difference between creating a good security culture or a bad security culture. If you’re truly trying to make a better security investment for the future, a framework should be used as a base of understanding for you to build out strategies specific to your organization. Meeting compliance should be an added bonus to the real goal of staying secure.
Getting buy-in from management and employees
Matt explained the first step to making a security discussion within your organization is “generally speaking you need top-down buy-in to ensure you have alignment across your organization.“ From the top, if you have C-levels who don’t believe in IT security, it’s really difficult to get them to care. One option for solving this is to talk to them about something they do care about which is risk and the ROI or impact of what could happen if you didn’t implement security tools.
Nick added on, “Start focusing on the outputs rather than the outcomes. If you can describe the outcome good or bad, then you start to paint the picture and open a conversation around the topic. We need to get better at translating our needs and requests to the board and executives.”
By changing the tune and talking in terms of a narrative it can help those who don’t understand to see the long-term value. Some questions to get you started include: How much money we could lose? What could go wrong? How long we could be down? Is a better approach? This strategy is the #1 way we’ve seen customers of Curricula make the decision to implement our program.
While executives are important, it’s also important to remind yourself that employees are at the heart of your organization (and its security), therefore you need to get them on board with building a security culture. Security is a team effort, so even if the top-level management makes the decisions, it’s important to ensure employees will interact and be cooperative with the security solutions chosen.
Time to grab the popcorn
Watch our entire webinar with Blumira below to get even more information on how and why you should get your security awareness program started today.